-
Bug
-
Resolution: Fixed
-
Major
-
3.11.11, 4.0.5, 4.1
If the user has set Chrome (107.0.5304.122) or Edge (107.0.1418.56) to save and autofill the username and password of the Moodle site, when he/she creates a quiz and enables the use of Safe Exam Browser (Yes - Configure manually) the browser automatically fills the "Quit password" field with the user's password without even noticing it until the students end the quiz and they are forced to tell them their password to be able to finish the quiz (!!!).
This behaviour can be detected when creating the quiz because the browser also add the username to the quiz name.
This same issue also happens when adding user/group overrides to the quiz (it adds the user password to the override password field).
It doesn't happen with Firefox 107.0
I don't think this is actually a Moodle security issue but one for the browsers, but the effects are surely a security problem so I've added that flag to this issue
Steps to replicate the issue:
- Open Moodle on Chrome/Edge
- Log in the site and make the browser save your credentials
- Go to a course where you have editing capabilities
Issue A (SEB):
- Turn editing on
- Add a quiz
- Enable the use of Safe Exam Browser (Yes - Configure manually)
- Save changes (without even touching the "Quit password" setting)
- Notice that the SEB Quit password is the users' password (you can check it querying the database or trying to answer the quiz)
Issue B (user overrides):
- Turn editing on
- Add a quiz
- Go to the User overrides of the quiz
- Add a user override
- Save changes (without even touching the "Require password" setting)
- Notice that the override's 'Require password' is the users's password (you can check it querying the database or trying to answer the quiz logged in as that overridden user)
- has a non-specific relationship to
-
MDL-77618 Browsers auto-completing the user's password into admin setting password unmask fields
- Closed
-
MDL-76574 Improve the UX of passwords in formslib
- Open
- has been marked as being related by
-
MDL-53048 Create new "password" fields that are not auto-filled by password managers
- Closed
-
MDL-70447 Firefox auto-completing the user's password into inapproprite password unmask form fields (again!)
- Closed
- is a regression caused by
-
MDL-74814 Some accessibility issues in the edit profile page
- Closed
- is duplicated by
-
MDL-76191 Password unmask field no longer blocks browser password entry
- Closed
-
MDL-77026 Autofill error in LTI tool form
- Closed
-
MDL-77411 Adding a group could expose password of a user
- Closed
-
MDL-76720 Password field of the test override form is auto-filled
- Closed